Apple has a very serious problem that has suddenly become a headline issue, undermining claims about iPhone’s security and privacy credentials. It turns out that what happens on your iPhone, doesn’t always stay on your iPhone after all.
I have warned before about the dangerous flaw in Apple’s iPhone security when it comes to the private messages sent between its billion-plus users. Privacy is built in from the beginning,” Apple says. “Powerful security features help prevent anyone except you from being able to access your information.” If only it was that clear-cut. Now a new warning from a very surprising source has hit the news.
iMessage is Apple’s stock end-to-end encrypted messenger. Designed to compete with WhatsApp, it seems to have the same security—albeit only when communicating within Apple’s ecosystem. Message an Android user and you fallback to SMS, which is unacceptable in 2021—more on that later. But even when you think you’re secure, you’re probably wrong. iMessage has an alarming catch.
The issue is iCloud and the general backups you make from your iPhone. If you use Apple’s default, recommended settings, then you run Messages in iCloud—meaning you sync your messages across all your devices, and you also run a generic iCloud backup, meaning you save a copy of your phone’s data and settings to Apple’s cloud.
Here’s where it gets complicated. iMessage is secured by end-to-end encryption, the idea being that the keys to decrypt messages between you and those you message are only shared between you. That stops anyone intercepting your content. But in a bizarre twist, Apple stores a copy of those encryption keys in that iCloud backup, which it can access. That means the end-to-end encryption is actually fairly pointless.
This issue came to the fore this week, with the publication of a sensitive FBI document that advises on which messaging platforms its agents can most easily access. The iMessage issue was front and center: “if target uses iCloud backup, the encryption keys should also be provided with [lawful access] content return; can also acquire iMessages from iCloud returns if…